[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS Feature Version 1.12.3 Released! <stong>(security update)</stron

From: Derek Robert Price
Subject: Re: CVS Feature Version 1.12.3 Released! <stong>(security update)</strong>
Date: Mon, 15 Dec 2003 22:24:47 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

Hash: SHA1

Steve McIntyre wrote:

>On Fri, Dec 05, 2003 at 12:25:55AM -0500, Derek Robert Price wrote:
>>CVS feature version 1.12.3 has been released.  Feature releases contain
>>new features as well as all the bug fixes from the stable release.  This
>>release fixes a security issue with no known exploits that could cause
>>previous versions of CVS to attempt to create files and directories in
>>the filesystem root.  This release also fixes several issues relevant to
>>case insensitive filesystems and some other bugs.  We recommend this
>>upgrade for all CVS clients and servers already running the feature
>>release and those users who like to stay on the cutting edge!
>Derek, are you sure the simple fix in modules.c to check for
>!isabsolute() will fix the hole here? What about people specifying
>../../../../../../<something> ? Probably the easiest fix for that is
>to modify isabsolute() to check for .. entries in the path

If you can send me a reproducible case where CVS doesn't abort with an
error, I'll be happy to look into it, but I am pretty sure CVS has been
catching the indirection case for years.  Go ahead and try it.


- --

Email: address@hidden

Get CVS support at <>!
- --
I will return the seeing-eye dog.
I will return the seeing-eye dog.
I will return the seeing-eye dog...

          - Bart Simpson on chalkboard, _The Simpsons_
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape -


reply via email to

[Prev in Thread] Current Thread [Next in Thread]